diff options
| author | Jessica Clarke <jrtc27@FreeBSD.org> | 2021-10-24 18:48:59 +0000 |
|---|---|---|
| committer | Jessica Clarke <jrtc27@FreeBSD.org> | 2021-10-27 17:38:37 +0000 |
| commit | f350bc1dd368a3024ba9ef2a9e8431fc1edd8094 (patch) | |
| tree | c4e587cc1a40e688837b4d037a13048b7d980533 /usr.sbin | |
| parent | 29863d1effe20da3cc75ae10bd52d96edafe9e59 (diff) | |
| download | src-f350bc1dd368a3024ba9ef2a9e8431fc1edd8094.tar.gz src-f350bc1dd368a3024ba9ef2a9e8431fc1edd8094.zip | |
ada: Fix intra-object buffer overread of identify strings
In the ATA/ATAPI spec these are space-padded fixed-length strings with
no NUL-terminator (and byte swapped). When performing the identify we
call ata_param_fixup to swap the bytes back to be in order, strip any
leading/trailing spaces and coalesce consecutive spaces, padding with
NULs. However, if the input has no padding spaces, the fixed-up strings
are still not NUL-terminated. This causes two issues. The first is that
strlcpy will truncate the string by replacing the final byte with a NUL.
The second is that strlcpy will keep reading src until it finds a NUL in
order to calculate the return value, which is defined as the length of
src (so that callers can then compare it with the dsize input to see if
the input string was truncated), thereby reading past the end of the
buffer and into whatever adjacent fields are in the structure. In
practice there's a NUL byte somewhere in the structure, but on CHERI
with subobject bounds enabled in the compiler this overread will be
detected and trap as a bounds violation.
Note this matches ata_xpt's aprobedone, which does a bcopy to a
malloc'ed buffer and manually NUL-terminates it for the CAM path's
device's serial_num.
Found by: CHERI
Reviewed by: imp, scottl
Differential Revision: https://reviews.freebsd.org/D32567
Diffstat (limited to 'usr.sbin')
0 files changed, 0 insertions, 0 deletions